Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Web App
Security
Practices of
the Highly
Confident
Security findings from F5
State of Application
Delivery 2015
The threat less
mentioned
Analysis of some of the biggest breaches of this century finds a great deal
of attention paid to...
App layer
confidenceGiven the severity of outcomes experienced due to web application
compromise in the past it was somewh...
Best Practices
Web application security best practices focus on making decisions
whether to allow or deny (or scrub) data ...
High Confidence
Client Request Response
Always Protect 66% 69% 63%
Sometimes Protect 17% 13% 14%
Never Protect 2% 1% 3%
Co...
Thank you
You can download the full State
of Application Delivery 2015
report at http://f5.com/SOAD
Upcoming SlideShare
Loading in …5
×

Web app security practices of the highly confident

943 views

Published on

Find out what web app security practices are used by organizations who are highly confident in their ability to withstand an app layer attack.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Web app security practices of the highly confident

  1. 1. Web App Security Practices of the Highly Confident Security findings from F5 State of Application Delivery 2015
  2. 2. The threat less mentioned Analysis of some of the biggest breaches of this century finds a great deal of attention paid to effect and less on causes. Of the top 25 breaches (as identified by number of records exposed) a perhaps surprising percentage (44%) were attributable to web application compromise. 2005 20102008 2009 2011 2013 2014 40M CC 134M CC 1.3M ID 112M PII 50M PII 150M CC 4.5M PII Data Exposed by Top 25 Breaches 2000-2014 through web application compromise The outcome of successful web application compromise is troubling, with all three primary data types represented: credit card numbers, personal information and credentials. This stands in contrast to other breaches arising from stolen credentials or theft (human element). Similarly troubling is that the most vocal security initiatives of late have been SSL Everywhere and two-factor authentication. Both are certainly good practices and help improve security postures but neither address the web application security needed to prevent compromises that have exposed over 600 million records in the past 14 years. SOURCES: Verizon DBIR 2014, trade publication reports
  3. 3. App layer confidenceGiven the severity of outcomes experienced due to web application compromise in the past it was somewhat surprising to find the majority of respondents in our State of Application Delivery 2015 survey were confident or very confident on the topic of web application security. This led to further analysis of responses with careful attention paid to security practices in this arena as reported by respondents. We asked about very specific web application security practices with respect to protecting data across three primary surfaces: the client, the request and the response. What we discovered was a high correlation of attention paid to all three surfaces and the level of confidence in withstanding application layer attacks as reported by respondents. SOURCE: F5 State of Application Delivery 2015
  4. 4. Best Practices Web application security best practices focus on making decisions whether to allow or deny (or scrub) data at different points in the client- app conversation: • When the client first connects • When a request from the client is received • When a response from the app is received Web application security services are able to make decisions regarding the legitimacy of the client based on variables like geolocation, operating system and device type, whether requests are malicious or not based on the presence of signatures and other malicious tells, and whether responses conform to expectations or contain sensitive data. We asked respondents to categorize their protection at each of these three potential attack indicator points as either “always”, “sometimes” or “never”. Then we looked at these answers in relation to respondents level of confidence. The correlation between the two was readily apparent: organizations employing more comprehensive web application security practices were highly confident in their ability to withstand an application layer attack. 0% 50% 100% Client Request Response Low Confidence Confidence High Confidence ALWAYS PROTECT SOURCE: F5 State of Application Delivery 2015
  5. 5. High Confidence Client Request Response Always Protect 66% 69% 63% Sometimes Protect 17% 13% 14% Never Protect 2% 1% 3% Confidence Client Request Response Always Protect 59% 55% 37% Sometimes Protect 26% 27% 34% Never Protect 2% 4% 8% Low Confidence Client Request Response Always Protect 41% 18% 41% Sometimes Protect 47% 65% 41% Never Protect 6% 6% 6% Comprehensive web app security practices lead to confidence
  6. 6. Thank you You can download the full State of Application Delivery 2015 report at http://f5.com/SOAD

×